PRIVACY POLICY OF “MEGAPARK” EOOD

“Megapark” EOOD respects the privacy of its clients and other persons in contact and guarantees the maximum level of protection of their personal data.

The current Policy for privacy and protection of personal data (as referred to below “Privacy Policy” or “the Policy”) aims to inform you about the personal data we collect for you, why and how we process it and what are your rights in this regard. This Policy is prepared and is based on the current Bulgarian and European legislation in the field of personal data protection, including without limitation the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “Regulation”) and the Personal data protection Act.

This Privacy Policy does not affect, limit or invalidate your rights under the Personal Data Protection Act, the Regulation or other relevant legislation.

Please read this Policy carefully before using the Site, as well as before entering into commercial, civil or other relations with us. If you do not want us to process your personal information in the manner described in this Privacy Policy, please do not provide it to us. If your personal data has been provided to us by a third party, your employer or assigner, you may also refer to the latter for more information.

If you have any questions or comments regarding this Privacy Policy, please contact us at: regulatorycompliance@lhinv.eu.

I. Who processes and takes responsibility for your personal data?

“Megapark” EOOD („Megapark”, „we”) is a company, registered in the Commercial Register to the Registry Agency with UIC 175031338, which collects, processes and stores your personal data under the terms of this Privacy Policy. “Megapark” EOOD is an administrator of personal data within the meaning of the Personal Data Protection Act. You can contact us at any of the following coordinates:

Мanagement address: Sofia city, District Sredetz, 4 Knjaz Aleksander I Str., fl.2 e-mail: regulatorycompliance@lhinv.eu.

“Megapark” EOOD is a company owner of Office Building, Class A with commercial name Megapark (“the Building”), located at Sofia city, 115 Tsarigradsko Schosse Blvd. and its surrounding plots (together referred to as “the Site”). “Megapark” EOOD processes personal data with regard to and to the extend necessary for the management of the leasing process of the Site, maintenance and management of the Site.

II. Sources for collection of personal data:

2.1. We may be provided with your personal data directly from You, when:

 You initiate contact with us for the purpose of entering into commercial or other civil relations with us, either in your capacity of an individual or when acting on behalf of legal entities – clients or other contracting parties “Megapark” EOOD;

 You visit the Site

In these cases, the scope of personal data we process is restricted to the one you provide us and which is required so that we may legally execute our commercial activity.

2.2. If you are an employee of our client (including lessee of an unit in the Building) or of our supplier/subcontractor/contracting party or of a subcontractor of a lessee in the Building, your personal data me be submitted to us by your employer or by an assigner of your employer.

2.3. We may process data collected or generated by us when executing our commercial activity:

 Video shooting when visiting the Site

 It is possible that when visiting our website statistic data as IP address, visited webpages, other identificatory stored in Cookies locally by the website user are collected (most of them are not qualified as personal data).

2.4. In order to ensure the proper performance of the services and the obligations arising from client contracts, “Megapark” EOOD may process information that is available in public registers (including public database and data disclosed on the Internet) as well as information obtained from third parties regarding the implementation of legal provisions regarding customers.

“Megapark” EOOD has the right and the duty to verify the correctness of the personal data stored in such databases and for this purpose requires you to verify the data and, if necessary, correct or validate your data.

III. Purposes and legal grounds for the processing of personal data

3.1. Processing of personal data that is necessary for the conclusion or performance of contracts with us or with regard to preparation for concluding contracts with us.

“Megapark” EOOD processes your personal data for the following purposes:

(i) Client identification upon: signing a new or changing an existing contract with us;

(ii) Negotiation on contracts; management of pre-contractual relations;

(iii) Managing and administration of contracts concluded with you, execution of obligations and exercising of rights.

3.2. In fulfillment of its legal obligations, “Megapark” EOOD processes your data for the following purposes:

(i) To perform its obligations provided for in the Accountancy Act and the Tax-Insurance Procedure Code and other related statutes in relation to proper and legal accounting; invoice issuing; upon execution of tax – insurance control by the respective competent authorities; control under the Anti- money Loundering (if applicable) and other;

(ii) Providing information to the Commission of personal data protection in relation to obligations provided by the regulatory of personal data protection – Personal Data Protection Act, the Regulation, etc.;

3.3. Processing based on protection of the legitimate interests of “Megapark” EOOD

(i) Upon video surveillance of the Site – for the purpose of protecting the security of the individuals in the Site, as well as for protection of the property and other assets, located on the Site;

(ii) upon managing the access control to the Site – for the purpose of protecting the security of the individuals in the Site, as well as for protection of the property and other assets, located on the site; providing of high quality service as Office Building Class A;

(iii) upon managing the contracts between the “Megapark” EOOD and contractors – legal entities – the personal data on this base are processed for the purpose of execution of contracts concluded between “Megapark” EOOD and a third party-legal entity, which has employment of other civil contractual relations with the data subject. This covers mainly personal data of legal representatives

and authorised representatives of contracting parties, contact persons, persons authorized and obliged to execute certain activities under the concluded contract.

IV. Categories of personal data we process

4.1. Personal data processed with regard to the functioning of the access control system and the access control on Reception of the Building:

(i) for employees of lessees in the Building and employees of other contracting parties – names, employer, car registration number (if applicable);

(ii) for visitors in the Site – names and the company each visitor intends to visit

4.2. Personal data processed upon video surveillance

A video image of the persons staying on or passing through the territory of the Site.

4.3. Personal Data processed with regard to entering into and execution of contracts, where “Megapark” EOOD is a party, regardless of whether concluded with you personally or with a company You are working for or you represent.

(i) Personal identification data – names, Personal identification number, data as per the personal ID card (these are processed as an exception only – for example when You are legal representative of a company or a proxy of such company – our contracting party and the agreement between us is notary certified);

(ii) Contact details – as post and electronic mails, phone and fax number;

(iii) Financial information – bank account, when a payment is made by or to You;

(iv) Professional information – employer, position;

Different types of personal data can be processed on their own or in combination.

VI. For what period is your personal data stored?

The period of time that your personal data is stored depends on the processing purposes for which it was collected:

1. Personal data processed for the purpose of concluding / amending and executing contracts between “Megapark” EOOD and you or between “Megapark” EOOD and a contracting party (legal entity) – for the term of the agreement and for consecutive term of 5 years after termination/expiration of the agreement’s term.

2. Personal data processed for the purpose of issuing accounting / financial documents and for exercising of tax control, audit and consecutive financial inspections – 10 years, as of 1 January of the period following the period under review (art.12, par.1, item.2 of the Accounting Act).

3. Video data from security cameras – up to 1 month from the video recording

4. Data connected to the functioning of the access control system and processed with regard to the access control rules: (i) for employees of lessees – until we receive the notification of the lessee that a person is no longer employee or until the termination of the lease agreement; (ii)for all other visitors in the Site – for a period of up to three months as of the secured access and submission of the data.

The personal data may be processed for a longer term in the case of a legal dispute that has already arisen or an administrative investigation until its final settlement with a court / arbitration ruling or until completion for the examination, as well as in other cases provided for in the law;

VI. Where we store your personal data?

The data we process about you are stored within the European Union and the European Economic Area.

At present based on the available information we, (as data controller) don’t transfer and don’t intend to transfer your personal data outside the European Union.

Any change of the above information will be reflected as an amendment in this Policy.

VII. Third-party categories that may access and process your personal data.

Your personal data, which are accessed by third persons, will be processed for the purposes described in this Policy. It is possible that in the process of delivering our services and managing of our relations with You or with the company you are employed in, we might need to use third parties, such as:

(i) Transportation / courier companies, postal operators in order to fulfill our contractual obligations, sending correspondence and communications, in connection with the contract between us;

(ii) People who, under the responsibility of the data controller, maintain the equipment and software used to process your personal data;

(iii) Banks, servicing payments made by and to you or an entity represented by you;

(iv) Individuals to whom “Megapark” EOOD has provided the implementation of part of the service or service-specific obligations we owe to you or to your employer;

(v) People/legal entity processing personal data who, on the basis of a contract with “Megapark” EOOD, process your personal data on behalf of “Megapark” EOOD. Such entities as at the date of the updated Policy are:

Lion’s Head Management AD, with UIN 204866290 – company managing the assets of the data controller;

VIP Security EOOD, with UIN 175457398 – a company registered under the Private Security Activity Act, which takes care about the security of the Site.

Robul Bulgaria EOOD, with UIN 130559046 – management company of the Property;

(vi) People doing consulting services in different spheres – lawyers, accountants, notary publics etc.;

(vii) People, institutions and persons to whom we are required to provide personal data under current legislation;

Please be informed that some of these companies have their own legal right or obligation to process your personal data, in their own capacity of data processor.

VIII. Your Rights in relation to the processing of your Personal Data

1. General rights

At any time while we store or process your personal data you have the following rights:

 To request a copy of Your personal data and right to access your personal data at any time, as well as to demand information why we process your personal data;

 To request that we correct, without undue delay, your inaccurate personal data as well as data that is not up to date;

 Upon certain circumstances to request from us your personal data in a form convenient to be transfered to another data controller, or request us to do so (the right of portability);

 To request the deletion of your personal data without undue delay in the presence of any of the legal grounds for doing so;

 To request that we restrict the processing of your personal data, in which case your data will only be stored but not processed. Our refusal (if such) to restrict the processing of your personal data will be explicit and only in writing, and we are obliged to ground it with legitimate reason;

 to withdraw your consent to the processing of your personal data at any time with a separate request addressed to us upon consent-based processing;

 to object to the processing of your personal data in case your personal data is processed based on our legitimate interest. If your objection is well-grounded, we will cease processing your personal data;

2. You have the right to appeal to the supervisory authority

You have the right to submit a complaint directly to the supervisory authority. The competent authority is the Personal Data Protection Commission, address: Bulgaria, Sofia 1592, “Prof. Tzvetan Lazarov “№ 2 (www.cpdp.bg).

3. Automated processing and profiling

We don’t use your personal data for automated decision making, including profiling, which to result in any legal consequences for you or affect you in significant amount.

5. Can you refuse to provide your personal data and what are the consequences of that?

We need certain data identifying the contracting party, its proxy, contact details, payment details. Not providing such data prevents us from signing a contract with you or with a company you are employed at or you represent.

Data processed for other than the above purpose may not be provided to us, by not visiting our Site.

IX. Amendments to the Privacy Policy

We may periodically update our Privacy Policy. In the event of a change in the current policy, a notice will be published on our website as well as the updated Privacy Policy. All amendments and additions to the Privacy Policy will be applied only after publishing its current content available through our Site. In case of major amendments of the Privacy Policy we may choose to send personal e-mail message to each one of you linking to the new Privacy Policy, so that we can be sure you will take time to read it.

This Policy enters into force on 23.05.2018 Last updated: 01.10.2020